Segregation of Duties (SoD)
Domain 5 — Protection of Information Assets
Definition
Segregation of Duties is an internal control principle that requires no single individual to have control over all phases of a critical transaction or process. It distributes responsibility across multiple people to reduce the risk of error, fraud, or unauthorised activity. In IS audit, SoD is tested by reviewing role assignments, system access privileges, and transaction workflows. A classic SoD violation occurs when the same employee can initiate, approve, and reconcile a financial transaction — creating an opportunity for fraud without detection.
Real-World Audit Scenario
During a routine audit of a mid-sized retail client's procurement system, I noticed one employee with administrator-level access to the ERP's procurement, accounts payable, and vendor management modules. When I asked the IT manager about it, the response was "he built the system, so he needs full access." I ran a transaction log report and found he had created a new vendor, submitted a purchase order for $47,000, and approved the invoice for payment — all three steps by himself. There was no evidence of fraud, but the control gap was textbook: no preventive control existed to stop a single person from creating a fake vendor and paying a fabricated invoice. We flagged it as a high-risk finding.
Common Exam Trap
A question may describe a SoD violation with an answer option suggesting "terminate the employee's access entirely." That is too extreme. The correct answer is usually "modify the conflicting access rights" or "implement compensating controls" such as a monthly conflict-of-interest report.
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →